The TFTP agreement between the European Union and the United States came into force on 1 August 2010 – replacing a previous interim Agreement.

Such international agreement on financial messaging data transfers to the U.S. Treasury Department (UST) is necessary to ensure protection of EU citizens' privacy, while giving the U.S. and EU law enforcement authorities a powerful tool in the fight against terrorism.

Main elements of the 2010 Agreement

The agreement introduced safeguards to accommodate concerns about security, privacy and respect of fundamental rights.

It strengthened data protection guarantees relating to transparency, rights of access, rectification and erasure of inaccurate data. It guarantees non-discriminatory rights of administrative redress and ensures that any person whose data are processed under the Agreement has the right to seek in the U.S. judicial redress for any adverse administrative action. The agreement further acknowledges the principle of proportionality as a guiding principle for its application.

Under the agreement, a European public authority - Europol - assesses whether the data requested in any given case are necessary for the fight against terrorism and its financing. Europol also verifies that each request is tailored as narrowly as possible to minimise the amount of data requested. If a request for data does not meet these conditions, no data can be transferred under the Agreement.

The Agreement also foresees a regular review of the implementation of the TFTP, its safeguards, controls, and reciprocity provisions. Two joint reviews took place (in accordance with Article 13), the latest in 2012 (IP/12/1366). A third joint review is envisaged for 2014.

In addition, the Agreement requires that 3 years after its entry into force an assessment should be prepared on the use and value of TFTP provided data for purposes of identifying, tracking and pursuing terrorists and their networks (in accordance with Article 6). This is the focus of today's mid-term report.

identify as clearly as possible the data, including the specific categories of data requested, that are necessary for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing;

clearly substantiate the necessity of the data;

be tailored as narrowly as possible in order to minimize the amount of data requested, taking due account of past and current terrorism risk analyses focused on message types and geography as well as perceived terrorism threats and vulnerabilities, geographic, threat, and vulnerability analyses;

not seek any data relating to the Single Euro Payments Area.”

Article 4(4) et seq:“Upon receipt of the copy, Europol shall verify as a matter of urgency whether the Request complies with the requirements of paragraph 2. Europol shall notify the Designated Provider that it has verified that the Request complies with the requirements of paragraph 2.”

Article 5 sets out detailed and legally binding safeguards and controls guarding against any wrongful processing of personal data under the Agreement.

Article 5(2):“Provided Data shall be processed exclusively for the prevention, investigation, detection, or prosecution of terrorism or its financing”

Article 5(3):“The TFTP does not and shall not involve data mining or any other type of algorithmic or automated profiling or computer filtering.”

Article 5(4):“…Provided Data shall not be interconnected with any other database; …Provided Data shall not be subject to any manipulation, alteration, or addition…”

Article 5(5):“All searches of Provided Data shall be based upon pre-existing information or evidence which demonstrates a reason to believe that the subject of the search has a nexus to terrorism or its financing.”

Article 5(6): “Each individual TFTP search of Provided Data shall be narrowly tailored, shall demonstrate a reason to believe that the subject of the search has a nexus to terrorism or its financing, and shall be logged, including such nexus to terrorism or its financing required to initiate the search.”

Article 5(7):“Provided Data may include identifying information about the originator and/or recipient of a transaction, including name, account number, address, and national identification number.”

See also Recital on proportionality as guiding principle of Agreement.

Article 6(1):UST must undertake ongoing assessment to identify and delete data which are no longer necessary for purpose of Agreement. Article 12(4) states that data deletion obligations of the Agreement will continue to operate notwithstanding termination of the Agreement

Article 6(2):“If it transpires that financial payment messaging data were transmitted which were not requested, the U.S. Treasury Department shall promptly and permanently delete such data and shall inform the relevant Designated Provider.”

Article 6(4): Non-extracted data are to be kept for no longer than 5 years. But NB also Articles 6(5) and 6(6) requiring assessment of whether the period should be reduced during lifetime of Agreement.

Article 6(6): “Not later than three years from the date of entry into force of this Agreement, the European Commission and the U.S. Treasury Department shall prepare a joint report regarding the value of TFTP Provided Data, with particular emphasis on the value of data retained for multiple years and relevant information obtained from the joint review conducted pursuant to Article 13. The Parties shall jointly determine the modalities of this report.”

Article 6(7): “Information extracted from Provided Data, including information shared under Article 7, shall be retained for no longer than necessary for specific investigations or prosecutions for which they are used.”

Article 7sets out detailed limitations on onward transfer. Only data derived from individual searches pursuant to Article 5 may be the subject of onward transfer, such data are subject to a logging obligation, may only be shared with public authorities responsible for the fight against terrorism and exclusively for counter terrorism purposes. Where the UST is aware that the data are those of an EU citizen or resident, their onward transfer is broadly subject to the prior consent of the competent MS authorities; Onward transfer must be subject to a commitment by the receiving party to delete the data once no longer necessary for the particular investigation.

Article 9states that the US will spontaneously provide information derived from the TFTP to competent authorities of MS and to Europol and Eurojust as appropriate where that information may be relevant to the fight against terrorism.

Article 10 states that competent authorities of MS and Europol and Eurojust as appropriate, may request that UST carries out searches of the TFTP database in connection with an investigation of a person suspected of terrorism.

Article 12confirms that the safeguards will continue to be subject to SWIFT scrutiny and inspection of independent auditors. In addition, the Commission may appoint an independent person who will monitor this oversight on an ongoing basis.

Article 13sets out detailed provisions on the Review of the Agreement. The Review will be led by the Commission with a team including independent data protection, security and judicial experts.

“[…] The review shall include a representative and random sample of searches in order to verify compliance with the safeguards and controls set out in this Agreement, as well as a proportionality assessment of the Provided Data, based on the value of such data for the investigation, prevention, detection, or prosecution of terrorism or its financing. […]”

Transparency, right of access, right of rectification, erasure and blocking are guaranteed by Articles 14, 15 and 16. Redress rights both administrative and judicial are guaranteed by Article 18. Recital states that proportionality is a guiding principle of the Agreement.

Article 18ensures non-discriminatory administrative redress, and rights of judicial redress for any person whose data are processed pursuant to the Agreement

Article 20(2): “Nothing in this Agreement shall derogate from existing obligations of the United States and Member States under the Agreement on Mutual Legal Assistance between the European Union and the United States of America of 25 June 2003 and the related bilateral mutual legal assistance instruments between the United States and Member States.”

Article 21:deals with suspension or termination of the Agreement

Article 21 (1):“Either Party may suspend the application of this Agreement with immediate effect, in the event of breach of the other Party’s obligations under this Agreement, by notification through diplomatic channels.”

Article 21 (2):“Either Party may terminate this Agreement at any time by notification through diplomatic channels. Termination shall take effect six (6) months from the date of receipt of such notification.”

Article 23(2):The Agreement is for a period of 5 years renewable for one year periods unless otherwise terminated.